Schneier on Security
A blog covering security and security technology.
« Passwords Alone Don't Protect Trade Secrets |
| License-Plate Scanning by Helicopter »
April 15, 2005
Mitigating Identity Theft
Identity theft is the new crime of the information age. A criminal collects enough personal data on someone to impersonate a victim to banks, credit card companies, and other financial institutions. Then he racks up debt in the person's name, collects the cash, and disappears. The victim is left holding the bag. While some of the losses are absorbed by financial institutions -- credit card companies in particular -- the credit-rating damage is borne by the victim. It can take years for the victim to clear his name.
Unfortunately, the solutions being proposed in Congress won't help. To see why, we need to start with the basics. The very term "identity theft" is an oxymoron. Identity is not a possession that can be acquired or lost; it's not a thing at all. Someone's identity is the one thing about a person that cannot be stolen.
The real crime here is fraud; more specifically, impersonation leading to fraud. Impersonation is an ancient crime, but the rise of information-based credentials gives it a modern spin. A criminal impersonates a victim online and steals money from his account. He impersonates a victim in order to deceive financial institutions into granting credit to the criminal in the victim's name. He impersonates a victim to the Post Office and gets the victim's address changed. He impersonates a victim in order to fool the police into arresting the wrong man. No one's identity is stolen; identity information is being misused to commit fraud.
The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. This is what's been in the news recently: ChoicePoint, LexisNexis, Bank of America, and so on. But data privacy is more than just fraud. Whether it is the books we take out of the library, the websites we visit, or the contents of our text messages, most of us have personal data on third-party computers that we don't want made public. The posting of Paris Hilton's phone book on the Internet is a celebrity example of this.
The second issue is the ease with which a criminal can use personal data to commit fraud. It doesn't take much personal information to apply for a credit card in someone else's name. It doesn't take much to submit fraudulent bank transactions in someone else's name. It's surprisingly easy to get an identification card in someone else's name. Our current culture, where identity is verified simply and sloppily, makes it easier for a criminal to impersonate his victim.
Proposed fixes tend to concentrate on the first issue -- making personal data harder to steal -- whereas the real problem is the second. If we're ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.
Fraudulent transactions have nothing to do with the legitimate account holders. Criminals impersonate legitimate users to financial intuitions. That means that any solution can't involve the account holders. That leaves only one reasonable answer: financial intuitions need to be liable for fraudulent transactions. They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions.
They can't claim that the user must keep his password secure or his machine virus free. They can't require the user to monitor his accounts for fraudulent activity, or his credit reports for fraudulently obtained credit cards. Those aren't reasonable requirements for most users. The bank must be made responsible, regardless of what the user does.
If you think this won't work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They're not hurting for business; and they're not drowning in fraud, either. They've developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. They've pushed most of the actual costs onto the merchants. And almost no security centers around trying to authenticate the cardholder.
That's an important lesson. Identity theft solutions focus much too much on authenticating the person. Whether it's two-factor authentication, ID cards, biometrics, or whatever, there's a widespread myth that authenticating the person is the way to prevent these crimes. But once you understand that the problem is fraudulent transactions, you quickly realize that authenticating the person isn't the way to proceed.
Again, think about credit cards. Store clerks barely verify signatures when people use cards. People can use credit cards to buy things by mail, phone, or Internet, where no one verifies the signature or even that you have possession of the card. Even worse, no credit card company mandates secure storage requirements for credit cards. They don't demand that cardholders secure their wallets in any particular way. Credit card companies simply don't worry about verifying the cardholder or putting requirements on what he does. They concentrate on verifying the transaction.
This same sort of thinking needs to be applied to other areas where criminals use impersonation to commit fraud. I don't know what the final solutions will look like, but I do know that once financial institutions are liable for losses due to these types of fraud, they will find solutions. Maybe there'll be a daily withdrawal limit, like there is on ATMs. Maybe large transactions will be delayed for a period of time, or will require a call-back from the bank or brokerage company. Maybe people will no longer be able to open a credit card account by simply filling out a bunch of information on a form. Likely the solution will be a combination of solutions that reduces fraudulent transactions to a manageable level, but we'll never know until the financial institutions have the financial incentive to put them in place.
Right now, the economic incentives result in financial institutions that are so eager to allow transactions -- new credit cards, cash transfers, whatever -- that they're not paying enough attention to fraudulent transactions. They've pushed the costs for fraud onto the merchants. But if they're liable for losses and damages to legitimate users, they'll pay more attention. And they'll mitigate the risks. Security can do all sorts of things, once the economic incentives to apply them are there.
By focusing on the fraudulent use of personal data, I do not mean to minimize the harm caused by third-party data and violations of privacy. I believe that the U.S. would be well-served by a comprehensive Data Protection Act like the European Union. However, I do not believe that a law of this type would significantly reduce the risk of fraudulent impersonation. To mitigate that risk, we need to concentrate on detecting and preventing fraudulent transactions. We need to make the entity that is in the best position to mitigate the risk to be responsible for that risk. And that means making the financial institutions liable for fraudulent transactions.
Doing anything less simply won't work.
Posted on April 15, 2005 at 9:17 AM
• 49 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Bruce, this is an excellent piece. It is another instance of economic externalities: the financial instutions do
not suffer the losses which their lax security imposes.
But the same holds of the first problem--the information you give to institutions is not regulated and its release, above and beynod identity theft, is also born by the individual.
This too needs to be curtailed. For example, if my medical information is released a potential employer may not hire me. And so this too needs to be address.
Ultimately, I believe that first issue is a far larger danger to society than the second.
A winning commentary. As usual, the institutions who are most capable of prevention and protection of their account holders - in fact there is some argument that they have a fiduciary duty to their account holders - shift the liability and expense to those least able to succeed, to wit the account holders. AND they make money doing so.
Bruce, you have "hit the nail squarely on the head" with this one!! Good work!
The US has regulations to protect the privacy of patient records and PHI, it is HIPAA, which governs companies that are involved with health care and insurance. The GLBA is similar, but for financal services organizations, to protect the privacy of their customer's information.
However, identity theft (identity fraud), is all about the due diligence that is performed by banks to identify their customers in the first place (the regulations govern what they do with the customer info once they have it).
If a bank opens an account and gives money to someone based solely on public information, like SSN, Mother's maiden name, etc., then the bank should be 100% liable for any financial loss by foolishly assuming this risk and not performing the required due diligence to properly determine that person's identity.
Likewise, if a bank allows transactions to occur against their customer's accounts, without performing the necessary due diligence to ensure that it is really and truly the rightful account holder, then the bank should be held 100% liable. In this case, for online accounts, passwords alone are clearly insufficient and do not demonstrate proper due diligence.
I've been saying, for years, that 'identity theft' is newspeak. It's trying to make you the victim. The actual victim is the bank or whoever. They then turn around and pass the victimhood along to you.
This is akin to someone's car getting stolen, so they steal my car and promise to give it back if I track down the thief.
Don't play their game. Sue the bastards for libel if they knowingly keep lies on your credit report. Them being defrauded is not your problem.
Bruce, I see at least one major issue with your article that you might want to clarify:
You say "no credit card company mandates secure storage requirements for credit cards".
Not true. In fact, the Payment Card Industry (PCI) security requirements mandate secure storage. These were created several years ago by the Credit Card companies to prevent fraud and it was the merchants who have pushed back. Now, it is a compliance requirement with some stiff financial penalties, including the revocation of card processing rights.
I know of some major retailers (who shall remain nameless here) that are still refusing to comply, so you also shouldn't focus blame on the financial companies -- it's a process issue. Moreover, a federal law with breach disclosure requirements is still required to tip the scales in favor of the consumer. Neither the financial companies nor the merchants really care enough yet about consumer privacy issues.
Some say yesterday's post-breach market cap drop for Ralph Lauren was the first sign of a retailer's value tied to their customers' information security. Market forces are only able to take effect after regulation of breaches became law.
For an interesting side-bar to fraudulent business practices that lead to fraudlent use of identities, read today's briefing by The Register:
Again, let's all take a moment to thank Senators Feinsten and Boxer for their work trying to get the CA breach disclosure law passed at the federal level in 2003.
So, Bruce, rather than wax poetic about the need for security in the financial industries, I strongly recommend you quickly catch up and help analyze the PCI to make it as effective as possible (so the big merchant corporations have less to whinge about). I also recommend you get on a panel with the anti-regulation crowd (such as Howard Schmidt) and try to speak some sense into them.
I also think executives that commit fraud, such as lying about breaches that are directly related to massive identity theft, should go to jail. Economic incentives alone are not enough, in fact some of them play both sides of the equation so they make money no matter what the incentive Consider the fact that the ChoicePoint CEO published two books last year on preventing identity theft, while at the same time his company was leaking identity information like a sieve:
1) The Risk Revolution: Threats Facing America & Technology’s Promise for a Safer Tomorrow
2) A Survival Guide in the Information Age
Consider also that Derek Smith opposed the CAPPS system, which meant the government would collect a huge dossier on passengers. He opposed it, apparently, because it would have benefited ChoicePoint's rival companies. So if you think you can outwit the financial foxes in the henhouse of identities, think again.
The market is broken. If you take a look at the vulnerabilities and threats, we would be completely unrealistic (or expecting personal financial gain) waiting for it to fix itself. In other words, our culture has an odd way of handling these situations, but it definitely is capable of classifying some victims as more at *risk* than others. With regard to financial fraud, for example, children and the elderly are usually considered to be far more at risk...but detection and prevention of fraud against these groups is successul only because of clear regulation, not in spite of it.
Hope that helps.
Great article - but it did leave me wondering *how* credit card companies 'secure the transaction'?
Anyone care to explain?
Also - how do we 'secure the transaction' in other security contexts?
I'll explain a little. *How* do the credit card companies "secure the transaction"?
Exactly the way Bruce says they do, but it proves the point against them.
Consumers are able to get their money back BECAUSE the card companies put pressure on the merchants. I would be the first to agree that credit card companies have implemented some good technology (like watching the source of your transactions to see if you make a charge in California today, and Kansas tomorrow). However, if you lose your wallet and some guy runs down to the corner 7-11 and fills up his gas guzzler (for approximately the price of a ming vase, but that's another gripe) the credit company has no way of knowing.
The credit card company relies on *responsable* people to review their statements and let them know. There's a little caveat in all that fine print you get with your card. "You must notify XXXXX Credit Card Company within 90 days of this statement to preserve your reclamation rights under the law."
You snooze you lose, even from the credit card companies.
That question answered, I had my own comment. How fully can you expect the blame to fall on the financial institutions? If I am foolish enough to keep my checkbook in my pocket with all of the blank checks signed, and then drop it on the ground, should the bank be required to reimburse me when someone puts their own name on the Payee line?
I realize its an extreme example, but my point is that to some extent there is personal responsibility. I would like to see you delve into that side of the equation.
Funny thing about responsibility... it really only works well when you take it own yourself and it really works rather poorly when it is forced on you by some external entity or force.
Banks may well be the current "best" technical point for mitigating fraud, but technical considerations probably aren't going to help solve a social problem. And trying to force bansk to take on more responsibility for transactions is probably one of the worst things you could do. If anything, we should be pushing to *ban* banks from being involved in commercial transactions other than between trusted institutions.
I'm quite appalled that you would have such great faith that banks would do a wonderful job of mitigating fraud. You should know better. All they would do is just shift the costs elsewhere, or cut some corners. The last thing we need for our financial architecture is to encourage if not force corner-cutting.
Yes, we clearly need a new transaction payment system. Yes, we need a true identity authentication and validation system (we've never had a real one). But a simple shuffling of the deck chairs is not the way to save any sinking ship.
What we probably need to do is add a layer between banks and commercial vendors whose focus is on identity issues, so that each true financial institution won't have to "roll their own" solution to identity issues. A layer by itself won't solve anything, but since identity will be their only business, they will be by definition taking on that responsibility voluntarily. That's the *right* way to solve the problem.
-- Jack Krupansky
"All they would do is just shift the costs elsewhere"
That is, in fact the point. It shifts the cost from people who can do nothing about it (consumers) to people who can actually do something about it (the banks).
"Right now, the economic incentives result in financial institutions that are so eager to allow transactions -- new credit cards, cash transfers, whatever -- that they're not paying enough attention to fraudulent transactions."
This isn't likely to change soon. Right now, credit companies give credit away like water, then lobby congress for protection from the consequences of their own actions, hence the new, more restrictive Bankruptcy Act.
Only legislation that makes banks and credit institutions take full financial responsibility for their own actions can have a real impact on this situation. Currently if someone forges a check, a bank blames the victim, saying there is no way the bank could have known it was a forgery.
Banking laws are currently stacked in favor of banks. For instance, if a customer finds a banking error, they only have a year to go after the bank for restitution, but if a bank finds the customer made an error, banks have years to go after customers for restitution.
If banks had the same liability as their customers do, banking would become much more secure, very quickly.
Excellent post. I agree that the security has to occur at all the links in the chain. Even if the merchants and financial institutions are secure, consumers have security to worry about.
How ironic that credit cards and ATM cards are designed to use two-factor authentication and sometimes even three (picture), yet we often use them with only one (e.g. giving your number over the phone or on the Internet).
I often get asked to fax my credit card information, and I simply refuse. Instead of putting my card number on the fax, I put my phone number and a note that says "Call me". Believe it or not, this has always worked and allows me to do a verification with someone at a particular time to make it easier to detect and monitor my accounts.
So at what point do consumers start to step up and define or even fight for their "requirements" for secure transactions? Due to the cost and complexity of the issues, I say the vast majority look to the government to represent them fairly against fraud.
Good article, but a few techincally incorrect points:
Banks do push liability for fraudulent transactions onto CNP (card not present) merchants. However, banks DO absorb the liability for card present transactions. Fully. If the merchant has a signed reciept, even if the signiture looks like a donkey, they are not liable. It's the only way merchants will do business. It is unfortunate that merchants have to absorb the cost of fraud via the internet, but there is not currently a secure authentication system (but verified by visa is a step in the correct direction).
@Donald: "I would be the first to agree that credit card companies have implemented some good technology (like watching the source of your transactions to see if you make a charge in California today, and Kansas tomorrow)." How good is that? Some people are in California today, and Kansas tomorrow. The companies can't withhold authorization just because somebody is travelling. Or, maybe they could, but it wouldn't be good for business (too many false positives). What remains is really the customers checking their statements. That's the only mechanism to "authenticate transactions", albeit after the fact.
@Davi: "How ironic that credit cards and ATM cards are designed to use two-factor authentication and sometimes even three (picture), yet we often use them with only one (e.g. giving your number over the phone or on the Internet)." No, they are not designed for two-factor authentication, they are designed for ease of use, which excludes two-factor. Let's not confuse the two-factor-discussion even more.
Davi: I believe Bruce's comment on secure storage of credit cards was with respect to consumers (i.e. consumers need not use any special measures to protect their cards).
As for HIPAA, it seems to be a very good idea on paper, but I don't see it working in the real world. At every doctor's office I've been to since the law went into effect (although that isn't very many), patients are required to sign a HIPAA waiver the first time they visit before they can be treated. The receptionists tell patients, "You _have_ to sign this before we can see you" (emphasis mine), and I don't know what they would do if someone refused to sign. I'm no expert on the exact rules of HIPAA, but the waivers imply that they can do whatever they want with your information, just the way it was before. Sure, it might raise people's consciousness of their privacy, but it doesn't seem to do any good to actually protect personal information. (Please correct me if I'm wrong about what these waivers permit, which I hope I am)
As always, pithy and sane, cheers. But I was wondering if you were inspired by (or colluded on the production of) tonights dilbert.
Rupert Sheldrake lives.
ATM and credit cards are something you have (card) and something you know (PIN). That's two-factor. Merchants also often require photo ID and signature verification. I can't really say what they were truly designed for, I guess, but it always seemed strange to me that we can use the number alone to make Internet/phone purchases...
What Bruce seems to be saying is "don't expect users to do the right thing". Fine, but that is only because it is so easy to do the wrong thing. Make it more difficult to allow fraud but tightening the safety of the identities and the authentication mechanisms and things will get better.
Interesting interpretation. I took the phrase "no credit card company mandates secure storage requirements for credit cards" to mean exactly what it says. If you think Bruce was suggesting that it would be a GOOD or FEASIBLE idea for credit card companies to somehow mandate protection by the cardholders themselves, then he would be completely contradicting his earlier statement that "Fraudulent transactions have nothing to do with the legitimate account holders. Criminals impersonate legitimate users to financial intuitions. That means that any solution can't involve the account holders."
I say we keep this simple. If you want anonymous transactions, use cash or a similar anonymous transaction medium. If you want to give your cash to a business that will track and monitor your finances, then you need to be aware that you have just transfered a great deal of responsibility for the security of your cash to another entity.
Bruce wrote: "But once you understand that the problem is fraudulent transactions, you quickly realize that authenticating the person isn't the way to proceed." And he wrote: "They concentrate on verifying the transaction."
My interpretation of these statements was that the above was current practice concerning credit/debit card transactions, and it was Bruce's recommendation for adequate practice in setting up new bank accounts (or similar).
Now, what is the definition, in each of these cases, of "verifying the transaction"?
In both cases, this could include verifying the identity of the cardholder or the applicant trying to set up the bank account (or similar).
In the case of credit/debit card transactions, current practice is to avoid this, as it is too difficult. The resultant level of fraud is accepted, as part of a security system that offers an appropriate trade-off between cost of security and benefit from security.
In the case of opening a new bank account (or similar), it looks to me (and probably many others) as if the down side of not checking personal identity (in most or many cases) is too large, compared with the cost/effort in checking identity. We therefore need means for checking idenitify that are: (i) good enough, and (ii) not too costly to implement.
If "verifying the transaction" of opening a bank account (obtaining credit, or similar) does not require confirming the identity (at least name and address) of the prospective account holder, would someone please explain to me what is required (in totality or as a substitute), and why that is good enough.
Donald Smith: You asked: "How fully can you expect the blame to fall on the financial institutions? If I am foolish enough to keep my checkbook in my pocket with all of the blank checks signed, and then drop it on the ground, should the bank be required to reimburse me when someone puts their own name on the Payee line?"
I interpret your question as asking why should the institution pay for a client's stupidity, and thence, why should the law be written around that. For answer, look at traffic law. It takes great trouble to account for stupidities, and human mistakes. Yet people die on the roads, knowingly drink-drive, and so on.
The law is framed to protect the weak and stupid. Everyone is weak and stupid about something, some time.
If you read the full paragraph about secure storage of credit cards, you can see that he is talking about the fact that individuals are not asked to store their credit cards in secure ways. Nor is he advocating that it should change -- he's pointing out that even though no such requirement exists, the credit card companies still effectively mitigate their risk. He's not talking about merchants storing credit card numbers.
One of the methods for preventing identity theft (ie, using someone else's personal information to open a new credit account) that has gained some traction is the ability to freeze one's credit file. The idea is that before a creditor/merchant will open a new account for you, the creditor will first check your credit file to make sure you're credit worthy. If you could "freeze" your credit file, then no one else could view your credit file without your permission. Hence, no identity theft, since only you would be able (in theory) to unlock your credit file. And the ability to lock and unlock your credit file would be a necessity, since you'd need to unlock your file if you yourself wanted to apply for credit.
Of course, the credit bureaus don't want to let you freeze your credit file, since this would impede their ability to sell your credit information. But in several states, they must provide this ability by law.
One problem with a credit freezing service (besides the fact that the credit bureaus make it expensive to use) is that the ability to unlock your credit file (and relock it again) today depends on knowledge of a PIN. So all it would take for a fraudster to open new accounts in your name would be to steal your PIN and unlock your credit file.
If credit freezes are a viable way to prevent identity theft, then it will take something stronger than a PIN to keep your credit file secure. Something like, say, two factor authentication. So, for example, if a bank does a good job of verifying a person's identity when applying for new account, and the bank employs two factor authentication, the same identity credentials used for authenticating at the bank could be used for authenticating to the credit bureau.
Using the credit card model as an analogy for dealing with fraudulent transactions seems poor because the credit card model doesn't seem to actually prevent fraudulent transactions from taking place. Rather it depends on the bank's (or the customer's) ability to detect the transaction after the fact, and then deal with it before too much damage results. This is what the bankers call "risk management." The goal for identity theft should be more along the lines of "zero tolerance"; that is, to prevent fraudulent transactions/account openings from occuring at all. And that seems to require some form of strong identity authentication.
One of the problems with not allowing the CC companies to pass the cost to the merchant is that it will become realy, extremely hard to get any resolution in any claim. The user will have to go through a LOT of hoops because the CC companies will be protecting _their_ money. Ultimately the end user will be the looser.
Personally, I think they need to assign PIN to every credit card. This way, if a card is stolen, they won't be able to use it. We can always change the PIN if we think it might have been compromised.
This is a very timely article, as I found out yesterday that I was the victim of identity theft. Jon Solworth's comment about this being an economic externality from the bank's perspective was a nice piece of insight into why this mess hasn't been clean up.
If you were to propose legislation to tighten the banking laws, what would you do? I've been thinking about running for office someday, so I may be in a position to do something about it. It would be helpful if I knew what. :)
Here's a simple idea that I've been entertaining for years: change the law so that no credit agreement is legally binding (nor grounds for a negative report to a credit bureau in case of nonpayment) unless an in-situ photograph of the applicant signing the contract is attached to it.
This would be trivial in these days of digital cameras and polaroids, and would certainly cost less to the credit companies than the billions that the identity theft costs them these days.
That would be the end of most identity theft right there. Should any criminal be stupid enough to apply for credit under a false identity, the cops would have his mugshot to start looking for him with.
Of course, the credit companies that operate on the internet would find it impossible to operate, but since they were the ones who creates this mess in the first place, that's exactly what they deserve.
"They can't claim that the user must keep his password secure or his machine virus free. They can't require the user to monitor his accounts for fraudulent activity, or his credit reports for fraudulently obtained credit cards. Those aren't reasonable requirements for most users. The bank must be made responsible, regardless of what the user does."
Go Bruce! A three year old is supposed to check his credit report? Or protect his password? (Passwords must not contain the word goo...
Ok, I'll take your version as a fair interpretation, but the fact is the credit card companies DO mandate secure storage requirements for credit cards.
And while it is technically correct that the companies don't demand that cardholders secure their cards in any particular way, they do make some recommendations and provide 24x7 security response (which is probably as far as they could have been expected to go before the disclosure laws increased public awareness). And credit card companies DO worry about verifying the cardholder and the put requirements on what s/he does (in addition to verifying transactions). For example...consider the simple credit limit.
Speaking of fraudulent transactions and credit card company liabilities, what about the recent legislation approved by the House that makes it harder for families to declare personal bankruptcy? Bruce is right about the fact that the credit card companies are rolling in the profits ($30 billion in last year). The bill seems to do nothing to stop the causes of bankruptcy, but it helps the card companies skirt any responsibiltiy for the issue.
Or, as Bankrate.com puts it "how [a credit card] offer transforms from an envelope in the mailbox to a glossy credit card in the wallet or purse and then subsequently onto the counter at a department store or restaurant is not the credit card company's doing."
Tim said: "The law is framed to protect the weak and stupid. Everyone is weak and stupid about something, some time."
Very Orwellian Tim. You have just defined Big Brother government. Should the government write a law to regulate every instance that may go wrong because of stupidity? I am not against financial institutions being responsible for wrongdoing when they are able to prevent it, however if you started creating laws to deal with every contingency, there would soon be little freedom left in this world.
Here's one of the big issues: People believe that financial institutions should be responsible because that's where the money is. My problem with that scenario is laws written in in this manner would be biased, not fair. Laws are supposed to be designed to protect the innocent.
Let me posit a question: What do you do when both parties are innocent? Lets say that you have a legitimate fraud happen in which you did nothing unreasonable (i.e. someone broke into your house and stole your credit card.) Then they use that credit card over the phone or at an online merchant. Is the user responsible? No, their privacy was violated. Was the financial institution responsible? No, it was the merchant that accepted the fraudulent transaction.
Now let me contradict what I just said, slightly. Somewhere in the process, I believe there is a financial institution that is marginally responsible for my example transaction: The company that issued the merchant his transaction authority. However, this institution realizes that it is responsible for the actions of its clients, as an exposure of doing business, so they create a contract with that client that dictates terms of usage, including the risky nature of accepting online transactions. The client accepts responsibility for fraudulent transactions in exchange for the right to process credit card transactions through the financial institution.
My final conclusion is this:
--I believe (in the credit card scenario) that responsibility lies in the correct place--with the merchant that accepted the fraudulent transaction.
--Furthermore, I believe that most other responsibility is correctly placed as well. If a bank accepts a new checking account and loses money because of check kiting on a fraudulent account, they eat their losses as a cost of doing business, and they DON'T file a bad credit report with the credit agencies because they know it wasn't really that person.
What we really need is not laws designed to regulate the financial institutions, we need laws to regulate the agencies that deal in personal information. But as discussed, laws are not in and of themselves the solution.
This topic/thread has now dropped off the currently displayed list.
Back on 17th April, I wrote:
'If "verifying the transaction" of opening a bank account (obtaining credit, or similar) does not require confirming the identity (at least name and address) of the prospective account holder, would someone please explain to me what is required (in totality or as a substitute), and why that is good enough.'
I haven't seen any response. Does that mean agreement here, that a bank/credit account (or similar) should not be opened without adequate checking of the identity of the applicant?
I agree with you, but I don't think that was Bruce's point. The "transaction" of opening a bank account is something you do directly with the bank.
"Verifying the transaction" seems to me to refer to something like a credit card transaction, where the financial institution is responsible, but all they have availible is the actual transaction, not the person conducting the transaction.
How can they verify the identity of someone they never have any contact with?
A bank/credit account HAS to be opened using sound identity checking processes, but once it is open, the identity of the authorized user is (hopefully) confirmed. Now (according to Bruce(I think)) the institution is concerned with the TRANSACTION, which should be verified as allowed by the authorized user.
I would personally say that you can't do that without some sort of agreement upon a verification method with the user, whether it is signature, two factor authentication, or retina scans and DNA samples.
There needs to be a solid method of verifying that the transaction is authorized. I believe the best way to do that is to ensure that it is the authorized user creating the transaction.
Greetings from Sweden. Just like to make a few comments:
Two points about credit cards first:
1. Credit card databases are also filled with credit card details of victims of ID Theft - rubbish in rubbish out. So securing that database is securing a whole lot of rubbish as well.
2. Credit card issuers look for fraud by looking for 'unusual patterns' which is not exactly a science - there are as many false positives as there are false negatives.
Is it theft or impersonation or is it fraud?
Is that important? It is not important now because there is now a REAL security solution against ID Theft.
I have invented the FIRST & ONLY REAL SECURITY SOLUTION AGAINST ID THEFT.
I believe that before the end of 2005, ID Theft will truely be a thing of the past. It is a bold claim I know - but it would have stopped the recent ID Thefts at ChoicePoint, Lexis Nexis, BOA, HSBC, GM, MasterCard, VISA, IRS, ... and no one would have been a victim of ID Theft.
It will do everything that paper shredders, encryption, firewalls, anti-virus, biometrics, PIN & Chip, disposable passwords, locked letter boxes, locked rubbish bins and dumpster, ID Theft Law, credit report monitoring, credit report flagging, ... could not. None of the so called security solutions mentioned or any of the ID Theft preventive steps and advice one can find on the Internet could have prevented the recent explosion of ID Thefts. We could.
New laws like all other laws cannot stop ID Thieves or murderers or drug traffickers ... it will only inform the victims that they have been 'raped' like what the California law did and put a few criminals in jail - thats about it.
I think that ultimately ordinary citizens, privacy advocates, personal security advocates, and activists should work together for the common good. Big businesses and corporations and governments can help the citizen-group but they cannot do more because they have lost too much trust with the public. The public are seeing the so-called security solution for IDs like credit report monitoring, etc. for what they are: they don't work and it is another way to make money from the victims. Flagging credit reports will not stop criminals fron using stolen IDs to apply for new driver's licenses or getting married. Credit reports don't show everything.
Governments and big corporations have lost nearly all their trust-capital with their voters and customers. Anything they do will be seen as Big Brother or at least with some hidden agenda and taken with little trust.
So Mr Bruce Schneier and all you people out there with an interest in ID Theft ... let us be THE CHANGE. Thanks for the opp. to comment.
I have been reading some very interesting stories and points of view, and would recommend that all of us to take a quick look at a website that deals directly with Identity Theft Restoration. It puts the power back into the hands of the people. You will find it extremely interesting. The Url is www.GotHassles.com
I have come to find from being a victim of ID Theft, that it’s not a matter of "IF" you become a victim of it, but "WHEN". I never thought it would happen to me!
As Lynn Polucki has stated
the desire to court big business in the bankruptcy Court arena has moved the fence from gray area interpretation to
ignoring the law or breaking the law for the sake of court-ing the big bucks.
In eToys 01-706 Her Honor Mary Walrath, in an apparent effort to defeat a whistleblowers appeal, came out with the OPINION of October 4, 2005..
Where she stated that when the attorney for the creditors committee(Traub Bonacquist & Fox) placed in as CEO of the Debtor, his partner, Barry Gold.... Post petition....in secret, while lying to the Chairman of the Creditors committee..
it was no big deal
and she 'warned them" not to do it again or else
In the meantime..
A chairman of the bondholders committee has gone to work for an employer of Traub Bonacquist & Fox.
RR Donnelley who was also a co chair, failed to report that it had 2 Goldman Sachs members on their board...
So when the whistle blower pointed that out,,
RR Donnelley and Goldman Sachs divested themselves of one another to the tune of $350 million
Lawrence Friedman the Chief Administrator in Washington DC of the US DOJ US Trustee's told the whistle blower that it would be taken care of.
Then Lawrence Friedman replaced Region 3 Trustee Roberta DeAngelis with Kelly B Stapleton, stating Stapleton was vastly experienced in Fraud prosecution.
Then Frank Perch on Feb 15, 2005 placed a motion to Disgorge and disgualify Traub in the record for $1.6 million out the $14 million in fee's paid out,,, stating such was "inadequate" due to the "draconian" Rule 1144 as the PLAN was confirmed in Nov 2002, the 180 days prevented any thing else.
Then Traub hired former Federal Justice James Garrity and Mark Kenney the attorney for the US Trustee's in Wilmington DE placed a Motion for a settlement to the "inadequate" Motion for only a $750,000 fine and broad based "immunity" language.
Then, this whistle blower complained to Lawrence Friedman
Lawrence Friedman resigned for "personal reasons"
a copy of all proofs of Fraud was acknowledged received at the US Trustee's general counsel office in Jan, Feb and March 2005.
The trial for the claim of the whistleblower was to occur in June 2005...
The whistleblower discovered ,,after the sanction motions, that Traub and Barry Gold had also worked for Liquidity Solutions/Bain/Stage Stores a Texas Bankruptcy S Dist 00-35080
Michael Glazer is director at Stage Stores and CEO of KB Toys..
Barry Gold and Paul Traub sold the assets of eToys to KB Toys..
Michael Glazer paid himself and others over $100 million in KB Toys 04-10120 pre petition. Paul Traub,, who has also failed to disclose his conection to Bain, Glazer,, asked the KB case Judge for the right to prosecute the $100 million preferential.
This whistle blower then blew the whistle in the KB Toys case about those non disclosures.
Kelly B Stapleton and Mark Kenney placed the only Motion to ask his Honor Sullivan to expunge the whistleblower statement.
the Judge heard the whistleblower and made the ruling to expunge at 3 p m
the signed Order was on Pacer Public website at 2.45 p m.
Her Honor Walrath removed His Honor Sullivan a few days later.
Then the Wall Street Journal on July 25, 2005 placed an article about the non disclosures
Then Her Honor Walrath assinged the whistle blowers CLI claim to his Honor Baxter.
His Honor Baxter then rescheduled the CLI claim to Sept 2005
Then his Honor Baxter allowed CLI contigency attorney to withdraw.
then His Honor Baxter dismissed the whistle blower claim, refusing to allow an attorney to place in his Pro Hac Vice
Then the whistleblower appealed.
Then, after more than 6 months and the March 1, 2005 hearing in which Paul Traub admitted that he paid Barry Gold 4 payments of $30,000 each prior to sneaking Barry Gold in as CEO of eToys at $40,000 per month... Her Honor Walrath, apparently headed off the appeal by approving the TBF settlement.
Her Honor stated she would NOT refer the matter to the US Attorneys office.
And then Her Honor, after taking 6 months to draft the OPINION of October 4, 2005 stated FALSELY that Barry Gold as a "pre" petition employee did not have to apply under 327(a) or 2014..
eToys filed on March 7, 2001,,,
Barry Gold, Paul Traub and MNAT all testified that Barry Gold was hired as "wind down coordinator" on May 21, 2001.
a shareholder and this whistleblower filed 2 separate appeals about the slap on the wrist, incorrect OPINION of her Honor Walrath.
Then 2 men visited the whistleblower telling him to "back off" or else.
Then the Clerk of the Delaware Bankruptcy Court failed to transmit the appeal(s)
When calls were placed to David B's office as to why,,, the whistleblower was informed there was NO Appeal(s)
then the whistleblower called back and was transferred to Enisha of the DE clerks office..
Enisha stated the appeals were going to be dismissed on Dec 1, 2005....
When questioned as to why Enisha would violate Fed Rule of App Proc 8005, 8806 etc.
Enisha replied she does what Traub instructs..
this whistleblower then called the MD FBI about the threat as an eToys shareholder was driving to DE from CA to be at the illegal appeal dismissal hearing..
When the presence of the Armed US Marshall the hearing was stopped and the appeal was subsequently transmitted, 2 weeks late...
We have filed reports with the OIG, the OGE, the FBI, the US DOJ and the OPR,, all stating that the proper protocol is to file a note and fax with the General Counsel of the US DJ Trustee office in Washington DC..
Each girl that has previously worked there, given her name and verified that the fax has been received, no longer works there.
The last girl,, ANNE,,, stated there was no file ever created..
when it was refaxed to her with the names of all the former employee's who had verified,,,she said she would get back
she did call back and said that it had been lost in the "cracks" that it had been assigned to Paul Briden-Hagen..
Then she stated a letter was forth coming.
Upon calling her again she stated it was in the "edit" mode.... for review by the Acting General Counsel..
We found out, subsequently, that Frank Perch has also resigned and the new "Acting" General Counsel is Roberta DeAngelis..
Now, who is paranoid?!
As an educator with a masters I was very surprised when I had a problem & had to resolve it myself, boy what a fiasco! I was then amazed to find out that Identity Theft is one of the fastest growing crimes out there. I think we could truly call Idetity Theft an epidemic. In order to further protect my self I researched several Identity Theft Companies. Here is a link to one that received wonderful reviews in magazines such as Forbes, Barrons, Fortune, Financial World, Success etc. Here's the link for more info :) www.prepaidlegal.com/hub/janinstarrlm I hope this helps some of you out there :)
I recently found out my SSN number was being used to open can charge up credit cards. Can I sue the credit card companies for this? I don't want to get into a lawsuit but I am so mad that they allowed this to happen; that their security was lax.
Thank you for your article, and yet it did not address my specific situation. My mother died 2 months ago, and in going thru her bank statements I found $75 "WTS" charge, monthly since 2000!!!! Digging around I found MONDOPORNO.com was the charge, and my cousin "Bill's" name on the transaction. Winds up this porno site has been autowithdrawing (by way of the culprit entering in the info from mom's checks) from their account, and my parents missed it all these years: $4,000! The way I got my cousin's name was from the Bank, and they are currently telling me they can't do anything, even though the charge was made by "BILL" to my parents account, which is not this name. I'd like to do something to recoup this cost, but of course, the 3rd party billing: WTS wasn't talking and neither was MONDOPORNO, go figure.
I am extremely grateful for any guidance here.
THANK YOU FOR THIS BLOG!
I have a serious question and i need some serious answers. Okay listen what would someone do if they got an identification card in someone else's name as a joke, and the police found it and found someone else's face with someones name? They never presented it to a police officer, or never got a credit card or even applied for one... they never did anything with it... it was only a joke. She didnt realize the consequences. Is she in trouble? Is that considered identity theft. Bruce she needs your help here. What should she do? She never used it in any illegal way. Well, except for getting it... that was illegal huh?
If anyone is looking for ID Theft restoration, let me know and I can bring you a solution. firstname.lastname@example.org
Why has no one who has been burned by mail theives using prescreened credit offers gone for a class action suit aimed at Citi Bank, Chase and fellow junk mail purveyers?
I have a question. Do the credit card companies have any responsibility to report known credit card fraud to a bankruptcy Trustee, if the fraud is included in a bankruptcy? If they don't are they not, at the very least, proliferating bankruptcy fraud?
This is an excellent article about the seriousness of identity theft and credit card fraud.
Just this past year, I have had three close friends become victim to identity theft and it literally ruined one of my friend's chances to buy property.
With illegal immigrants now being caught using real US citizens social security numbers, the problem seems to get worse.
Therefore, I will like to thank you Bruce for posing a blog entry about this serious matter. It must be talked about.
I recently setup a news blog about the seriousness of this issue at:
Thanks again for talking about this.
In the US for consumer bank accounts, the bank already *is* liable/responsible for all fraudulent electronic transactions (except for a small deductible and except for any fraudulent transactions that happen more than 60 days *after* the fraudulent activity begins) under Regulation E. This applies regardless of how the account was compromised, even if you wrote your PIN on your ATM card and left it on the floor in front of the ATM, and even if you were seemingly grossly negligent and stupid in (not) protecting your online banking password.
You seem to be unaware of or ignoring this fact.
Of course if you have a business account you're out of luck, which is why I would never do online banking for a business account.
Do anyone have idea of what exactly do the Fraud Restoration Services assist in us, when we are an identity theft victim.
Feel free to mail me @ email@example.com
I'm currently organizing a lawsuit against a variety of large banks that are allowing Identity Theft to affect millions of Americans lives, honesty, and time. These banks include, but are not limited to, Citibank, Chase, Bank of America, MBNA, and GE Money Bank. It's amazing that after notifying these banks of my situation, their commission-based collection representatives continue to call. I've even received a letter from Chase indicating that a "digital tape" with my personal information may have been lost or stolen. A class action lawsuit would probably be the least effective when convincing the banks to create a solution. Please e-mail me, and we can work together in litigating these banking corporations. My e-mail is firstname.lastname@example.org, and my AIM is BankLawsuit. I will eventually be creating a website.
IS IT BANK MANAGER'S STUPITDY OR INSIDER BANK FRAUD?TWO YEARS AGO MY LONGTIME BOOKEEPER WAS ABLE TO ACESS MY DORMANT LINE-OF- CREDIT FOR $250,000 without authourization the bookeeper was friendly with the bank manager (socially went out for drinks etc.)the bookeeper ( EMBEZZLER) WAS NOT A SIGNER ON ANY ACCOUNT. prior tothe first draw of $89,000 MY checking accounts were in dis-aray,i had overdrafted over 200 checks in the main and payroll accounts, i was unaware of the because the embezzler intercepted all of my bank statements and'CUT & PASTED ' them to 'look good'. hER SCAM WAS TO STEAL CASH RECEIVABLES SOMETIME S $20,000 to $30,000 A WEEKAND COVER THEM UP WITH $250,000line-0fcredit. if the bank manager had only 'CALLED ME, THE CUSTOMER ONLY ONCEI I MAY STILL BE IN BUSINESS TODAY, I LOST EVERYTHING. THE ONLY THING THE BANK IS WILLING TO DO IS WALK AWAY FROM THE $250,000 in favor of a general release . forget about it. this bank manager and my employee 'SCAMED ME'over 500 large and when i get enough to pursue with AN HONEST LAWYERI , I WILL. be aware of insiders they play games too.
Here is some great information about ID Theft Stats, things alot of people are not talking about, and comparison charts:
Lots of research was put into this: http://tinyurl.com/5huncs
Senior ID Protection Associate!
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.